Make sure that a MediaEntry does belong to this appropriate user in

the decorator. (Thanks Elrond)
2011-05-20 19:12:32 -05:00 · 2011-05-20 19:12:32 -05:00 · 01674e105c
commit 01674e105c
parent 571198c938
2 changed files with 19 additions and 7 deletions
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.


+from bson.errors import InvalidId
 from webob import exc

 from mediagoblin.db.util import ObjectId
@ -65,20 +66,31 @@ def uses_pagination(controller):
    return _make_safe(wrapper, controller)


-def get_media_entry(controller):
+def get_user_media_entry(controller):
    """
    Pass in a MediaEntry based off of a url component
    """
    def wrapper(request, *args, **kwargs):
+        user = request.db.User.find_one(
+            {'username': request.matchdict['user']})
+
+        if not user:
+            return exc.HTTPNotFound()
+
        media = request.db.MediaEntry.find_one(
            {'slug': request.matchdict['media'],
-             'state': 'processed'})
+             'state': 'processed',
+             'uploader._id': user['_id']})

        # no media via slug?  Grab it via ObjectId
        if not media:
-            media = request.db.MediaEntry.find_one(
-                {'_id': ObjectId(request.matchdict['media']),
-                 'state': 'processed'})
+            try:
+                media = request.db.MediaEntry.find_one(
+                    {'_id': ObjectId(request.matchdict['media']),
+                     'state': 'processed',
+                     'uploader._id': user['_id']})
+            except InvalidId:
+                return exc.HTTPNotFound()

            # Still no media?  Okay, 404.
            if not media:
--- a/mediagoblin/user_pages/views.py
+++ b/mediagoblin/user_pages/views.py
@ -18,7 +18,7 @@ from webob import Response, exc
 from mediagoblin.db.util import DESCENDING
 from mediagoblin.util import Pagination

-from mediagoblin.decorators import uses_pagination, get_media_entry
+from mediagoblin.decorators import uses_pagination, get_user_media_entry


@uses_pagination
@ -52,7 +52,7 @@ def user_home(request, page):
             'pagination': pagination}))


-@get_media_entry
+@get_user_media_entry
 def media_home(request, media):
    """'Homepage' of a MediaEntry()"""
    # Check that media uploader and user correspond.